Solved: TACACS+ authentication and authorization on IOS XR

laviel · ‎09-20-2012

Hi all,

I've been trying to connect several IOS-XR devices on our lab (ASR's, GSR's and CRS's) to our TACACS+ server (Cisco Secure ACS, release 4.2(0)). The goal is that the TACACS will manage user authentication and command authorization for all CLI, non-console login types (telnet and SSH). I use no HTTP server access to the devices and I'd like to keep the console login to local credentials.

I've got many IOS devices connected to that TACACS with the following AAA-related configuration. I'd like to implement the same principles on the IOS-XR's, but since the command structure is different and I couldn't figure out how to do this using the manual, I require your expert help:

aaa new-model

!

aaa group server tacacs+ acs-servers-group

server <TACACS-IP-ADDRESS>

!

aaa authentication login default local

aaa authentication login local_vty local

aaa authentication login console local

aaa authentication login acs group acs-servers-group local

aaa authorization exec default group tacacs+

aaa authorization commands 15 acs_cmds group tacacs+

aaa authorization commands 15 local_cmds none

!

aaa session-id common

!

skipped...

!

username ******** privilege 15 secret 5 *************************************

!

skipped...

!

tacacs-server host <TACACS-IP-ADDRESS> key 7 ***************

tacacs-server directed-request

!

skipped...

!

line con 0

stopbits 1

line aux 0

stopbits 1

line vty 0 4

exec-timeout 0 0

privilege level 15

authorization commands 15 acs_cmds

login authentication acs

transport preferred telnet

transport input all

line vty 5 15

exec-timeout 0 0

* Note: IOS-XR device run 4.1.2 and 4.2.0 versions

Thanks a lot for all help you could provide

Lior

Tarik Admani · ‎09-20-2012

Lior,

You need to send back the task ids and/or task groups in order to make this work. From my experience working with these platforms is that you do not really need to perform command authorization if you trust the task-ids/groups that are built into the ASR.

The flow for tacacs command auth for these devices is a little different than your traditional IOS (unless something has changed in the last 6 months), basically if the user tries to execute a command, the tacacs command auth is only triggered if the user is running a command that falls within his/her task umbrella. If it is not there then the command authorization is never triggered.

Here is some documentation that I feel will help you:

https://supportforums.cisco.com/docs/DOC-15944

Thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

Tarik Admani · ‎09-20-2012

Lior,

You need to send back the task ids and/or task groups in order to make this work. From my experience working with these platforms is that you do not really need to perform command authorization if you trust the task-ids/groups that are built into the ASR.

The flow for tacacs command auth for these devices is a little different than your traditional IOS (unless something has changed in the last 6 months), basically if the user tries to execute a command, the tacacs command auth is only triggered if the user is running a command that falls within his/her task umbrella. If it is not there then the command authorization is never triggered.

Here is some documentation that I feel will help you:

https://supportforums.cisco.com/docs/DOC-15944

Thanks,

Tarik Admani
*Please rate helpful posts*

laviel · ‎09-23-2012

Thanks Tarik,

I'll give it a try and report back.

Lior